A use-after-free vulnerability allows you to leak libc and overwrite the shadowstack. You can then use the stack overflow "functionnality" given at exit to achieve RCE through ROP.

Original writeup (https://0xukn.fr/posts/writeupkipodafterfreectf2020shadowstuck/).